Cryptanalysis Method and System

ABSTRACT

A cryptanalysis method comprising:
     (A) Performing a ciphertext-only direct cryptanalysis of A5/1 and   (B) Using results of Step (A) to facilitate the decryption and/or encryption of further communications that are consistent with encryption using the session key and/or decryption using the session key, wherein the cryptanalysis considers part of the bits of the session key to have a known fixed value, and wherein the cryptanalysis finds the session key. An efficient known plaintext attack on AS/2 comprises trying all the possible values for R4, and for each such value solving the linearized system of equations that describe the output;   The solution of the equations gives the internal state of R1, R2, and R3;   Together with R4, this gives the full internal state which gives a suggestion for the key.

PRIORITY CLAIMS

This application is a continuation of and claims priority from: U.S.patent application Ser. No. 13/184,775, titled “Cryptanalysis Method andSystem”, filed by the inventors of the present invention on Jul. 18,2011, which is a continuation of U.S. patent application Ser. No.10/554,587, titled “Cryptanalysis Method and System”, filed by theinventors of the present invention on Sep. 25, 2006, which is a NationalPhase Application of PCT/IL2004/000364 filed on Apr. 30, 2004, which inturn claims priority from Israel Patent IL 155671 filed on Apr. 30,2003, all of which are hereby incorporated into the present descriptionin their entirety.

TECHNICAL FIELD

The present invention relates to cryptanalysis methods, and moreparticularly to ciphertext-only cryptanalysis of GSM encryptedcommunications received off the air.

The present invention is scheduled to be published as a scientific paperand presented in Crypto 2003 conference, Aug. 17-21, 2003, SantaBarbara, Calif., USA.

BACKGROUND OF THE INVENTION

This section details the need for the present invention, prior artcryptanalysis methods and the encryption method now used in GSM.

GSM is the most widely spread method of cellular communications. Itincludes a measure of data protection by encryption, which sometimes itmay be desirable to decrypt.

For example, law enforcement agencies, such as the police, may desire tolisten to cellular communications, without a physical connection to thecellular infrastructure. This process often requires court permission,and is sometimes referred to as lawful interception.

Customers have a sense of security when using the cellular phone, whichsometimes is not justified. Eavesdroppers may listen on a conversation,hijack a call or make phone calls at a user's expense. It may bedesirable to test the level of security of the system by performingattempts at attacking the system. The actual level of network securitycan thus be evaluated. Such tests may be performed by the cellularnetwork provider, by local support entities or customer protectionagencies.

The above, as well as other applications, require the performance ofcryptanalysis in real time, in a short time period and using areasonable amount of digital memory, such as has not been achieved inprior art.

GSM is the most widely used cellular technology. By December 2002, morethan 787.5 million GSM customers in over 191 countries formedapproximately 71% of the total digital wireless market. GSM incorporatessecurity mechanisms. Network operators and their customers rely on thesemechanisms for the privacy of their calls and for the integrity of thecellular network. The security mechanisms protect the network byauthenticating customers to the network, and provide privacy for thecustomers by encrypting the conversations while transmitted over theair.

GSM uses encryption to protect transmitted signals. There are two basicmethods in use now, A5/1 and A5/2, with the former mostly used in theMiddle East and the latter generally for the rest of the world. The A5/1is more difficult to decrypt without a prior knowledge of the key thathas been used.

Thus, to listen to GSM transmissions, it is required to decrypt themessages. The frequency hopping in GSM makes the problem all the moredifficult.

There are three main types of cryptographic algorithms used in GSM: A5is a stream-cipher algorithm used for encryption, A3 is anauthentication algorithm and A8 is the key agreement algorithm. Thedesign of A3 and A8 is not specified in the specifications of GSM, onlythe external interface of these algorithms is specified. The exactdesign of the algorithm can be selected by the operators independently.However, many operators used the example, called COMP128, given in theGSM memorandum of understanding (MoU).

Prior art cryptanalysis methods pose unrealistic demands, such as a fewminutes of known conversation to the bits, see list of references below.

Briceno, Goldberg, and Wagner have performed cryptanalysis of the foundCOMP128, allowing to find the shared (master) key of the mobile and thenetwork, thus allowing cloning. The description of algorithm A5 is partof the specifications of GSK, but was never made public. There are twocurrently used versions of A5: A5/1 and A5/2. A5/1 is the “strong”export-limited version. A5/2 is the version that has no exportlimitations, however it is considered the “weak” version.

The exact design of both A5/1 and A5/2 was reverse engineered by Bricenofrom an actual GSM telephone in 1999 and checked against knowntest-vectors. An additional new version, which is standardized but notyet used in GSM networks is A5/3. It was recently chosen, and is basedon the block cipher KASUMI.

GPRS (General Packet Radio Service) is a new service for GSM networksthat offer ‘always-on’, higher capacity, Internet-based content andpacket-based data services, it enables services such as color Internetbrowsing, e-mail on the move, powerful visual communications, multimediamessages and location-based services. GPRS uses its own cipher, however,the key for the GPRS cipher is created by the same A3A8 algorithm in thesubscriber's SIM card, using the same K_(i) as used for creatingencryption keys for A5/1, A5/2 and A5/3. We will use this fact to attackit later. A5/1 was initially cryptanalized by Golic, and later by:Biryukov, Shamir and Wagner, Biham and Dunkelman, and recently by Ekdahland Johansson.

After A5/2 was reverse engineered, it was immediately cryptanalized byGoldberg, Wagner and Green. Their attack is a known plaintext attackthat requires the difference in the plaintext of two GSM frames, whichare exactly 2¹¹ frames apart (about 6 seconds apart). The average timecomplexity of this attack is approximately 2¹⁶ dot products of 114-bitvectors.

Apparently, this attack is not applicable (or fails) in about half ofthe cases, since in the first frame it needs the 11th bit of R4 to bezero after the initialization of the cipher. A later work by Petrovicand Fuster-Sabater suggests to treat the initial internal state of thecipher as variables, write every output bit of the A5/2 algorithm as aquadratic function of these variables, and linearize the quadraticterms. They showed that the output of A5/2 can be predicted withextremely high probability after a few hundreds of known output bits.However, this attack does not discover the session key of A5/2 (Kc).

Thus, it is not possible to use this attack as a building block for moreadvanced attacks, like those that we present later. The time complexityof this later result is proportional to 2¹⁷ Gauss eliminations ofmatrices of size of (estimated) about 400×719.

Goldberg, Wagner and Green presented the first attack on A5/2. The timecomplexity of this attack is very low. However, it requires theknowledge of the XOR of plaintexts in two frames that are 2¹¹ framesapart. Their attack shows that the cipher is quite weak, yet it mightprove difficult to implement such an attack in practice. The problem isknowing the exact XOR of plaintexts in two frames that are 6 secondsapart.

Another aspect is the elapsed time from the beginning of the attack toits completion. Their attack takes at least 6 seconds, because it takes6 seconds to complete the reception of the data. The novel methoddisclosed in the present application greatly improves the speed of theattack.

The known plaintext attack of Petrovic and Fuster-Sabater have similardata requirements as our attack, however it does not recover the sessionkey (Kc) and, therefore, may not be suitable for the active attacks thatwe describe later.

The state of prior art can be reviewed in the following references:

1. A pedagogical implementation (in C programming language) of A5/1 andA5/2:

Marc Briceno, Ian Goldberg, David Wagner, A pedagogical implementationof the GSM A5/1 and A5/2 “voice privacy” encryption algorithms,http://cryptome.org/gsm-a512.htm (Originally on www.scard.org), 1999.

2. Description and cryptanalysis of COMP128, used by many GSM operatorsas A3A8:

Marc Briceno, Ian Goldberg, David Wagner, An implementation of the GSMA3A8 algorithm, http://www.iol.ie/kooltek/a3a8.txt, 1998.

Marc Briceno, Ian Goldberg, David Wagner, GSM Cloning,http://www.isaac.cs.berkeley.edu/isaac/gsm-faq.html, 1998.

3. Known-Plaintext Cryptanalysis of A5/1:

Eli Biham, Orr Dunkelman, Cryptanalysis of the A5/1 GSM Stream Cipher,Progress in Cryptology, proceedings of Indocrypt'00, Lecture Notes inComputer Science 1977, Springer-Verlag, pp. 43-51, 2000.

Alex Biryukov, Adi Shamir, Cryptanalytic Time/Memory/Data Tradeoffs forStream Ciphers, Advances in Cryptology, proceedings of Asiacrypt'00,Lecture Notes in Computer Science 1976, Springer-Verlag, pp. 1-13, 2000.

Alex Biryukov, Adi Shamir, David Wagner, Real Time Cryptanalysis of A5/1on a PC, Advances in Cryptology, proceedings of Fast SoftwareEncryption'00, Lecture Notes in Computer Science 1978, Springer-Verlag,pp. 1-18, 2001.

Patrik Ekdahl, Thomas Johansson, Another Attack on A5/1, to be publishedin IEEE Transactions on Information Theory,http://www.it.Ith.se/patrik/publications.html, 2002.

Jovan Golic, Cryptanalysis of Alleged A5 Stream Cipher, Advances inCryptology, proceedings of Eurocrypt'97, LNCS 1233, pp. 239-255,Springer-Verlag, 1997.

4. A5/2 related information:

Ian Goldberg, David Wagner, Lucky Green, The (Real-Time) Cryptatialysisof A5/2, presented at the Rump Session of Crypto'99, 1999.

Security Algorithms Group of Experts (SAGE), Report on the specificationand evaluation of the GSM cipher algorithm A5/2,http://cryptome.org/espy/ETR278e01 p.pdf, 1996.

Slobodan Petrovic, Amp aro Fuster-Sabater, Cryptanalysis of the A5/2Algorithm, Cryptology eprint Archive, Report 2000/052, Available onlineon http://eprint.iacr.org, 2000.

Description of A5/2 and GSM Security Background

In this section we describe the internal structure of A5/2 and the wayit is used, see FIG. 4. A5/2 consists of 4 maximal-length LFSRs: R1, R2,R3, and R4. These registers are of length 19-bit, 22-bit, 23-bit, and17-bit respectively. Each register has taps and a feedback function.Their irreducible polynomials are: x¹⁹⊕x⁵⊕x²⊕x⊕1, x²²⊕x⊕1,x²³⊕x¹⁵⊕x²⊕x⊕1, and x¹⁷⊕x⁵⊕1, respectively.

Note that we give the bits in the registers in reversed order, i.e., inour numbering scheme, x^(i) corresponds to a tap in index len-i-1, wherelen is the absolute register length. For example, when R4 is clocked,the XOR of R4[17−0−1=16] and R4[17−5−1=11] is computed. Then theregister is shifted one place to the right, and the value of the XOR isplaced in R4[0].

At each step of A5/2 registers R1, R2 and R3 are clocked according to aclocking mechanism that is described later. Then, register R4 isclocked. After the clocking was performed, one output bit is ready atthe output of A5/2. The output bit is a non-linear function of theinternal state of R1, R2, and R3.

After the initialization 99 bits of output are discarded, and thefollowing 228 bits of output are used as the output key-stream. Somereferences state that A5/2 discards 100 bits of output, and that theoutput is used with a one-bit delay. This is equivalent to stating thatit discards 99 bits of output, and that the output is used withoutdelay.

Denote K_(c)[i] as the i'th bit of the 64-bit session-key K_(c), Rj[i]the i'th bit of register j, and f[i] the i'th bit of the 22-bit publiclyknown frame number.

The key-stream generation is as follows:

1. Initialize with K_(c) and frame number.

2. Force the bits R1[15], R2[16], R3[18], R4[10] to be 1.

3. Run A5/2 for 99 clocks and ignore the output.

4. Run A5/2 for 228 clocks and use the output as key-stream.

The first output bit is defined as the bit that is at the output afterthe first clocking was performed.

The initialization is done in the following way:

Set all LFSRs to 0 (R1=R2=R3=R4=0).

For i:=0 to 63 do

1. Clock all 4 LFSRs.

2. R1[0]←R1[0]⊕K_(c)[i]

3. R2[0]←R2[0]ΓK_(c)[i]

4. R3[0]←R3[0]⊕K_(c)[i]

5. R4[0]←R4[0]⊕K_(c)[i]

For i:=0

to 21 do

1. Clock all 4 LFSRs.

2. R1[0]←R1[0]⊕f[i]

3. R2[0]←R2[0]⊕f[i]

4. R3[0]←R3[0]⊕f[i]

5. R4[0]←R4[0]⊕f[i]

In FIG. 4 the internal structure of A5/2 algorithm is showed.

The clocking mechanism works as follows: register R4 controls theclocking of registers R1, R2, and R3. When clocking of R1, R2, and R3 isto be performed, bits R4[3], R4[7], and R4[10] are the input of theclocking unit. The clocking unit performs a majority function on thebits. R1 is clocked if and only if R4[10] agrees with the majority. R2is clocked if and only if R4[3] agrees with the majority. R3 is clockedif and only if R4[7] agrees with the majority. After these clockings, R4is clocked.

Once the clocking was performed, an output bit is ready. The output bitis computed as follows:

output=R1[18]⊕maj(R1[12],R1[14]⊕1, R1[15])⊕R2[21]⊕maj(R2[9],R2[13],R2[16]⊕1) ⊕R3[22]⊕maj(R3[13]⊕1,R3[16],R3[18]),where maj(•,•,•) is the majority function. i.e., out of each register,there are 3 bits whose majority is XORed to form the output (when onebit of each triplet is inverted), in addition to the last bit of eachregister. Note that the majority function is quadratic in its input:maj(a,b,c)=ab⊕bc⊕ca.

A5/2 is built on a somewhat similar framework of A5/1. The feedbackfunctions of R1, R2 and R3 are the same as A5/1's feedback functions.The initialization process of A5/2 is also somewhat similar to that ofA5/1. The difference is that A5/2 also initializes R4, and that afterinitialization one bit in each register is forced to be 1. Then A5/2discards 99 bits of output while A5/1 discards 100 bits of output. Theclocking mechanism is the same, but the input bits to the clockingmechanism are from R4 in the case of A5/2, while in A5/1 they are fromR1, R2, and R3. The designers meant to use similar building blocks tosave hardware in the mobile.

This algorithm outputs 228 bits of key-stream. The first block of 114bits is used as a key-stream to encrypt the link from the network to thecustomer, and the second block of 114 bits is used to encrypt the linkfrom the customer to the network. Encryption is performed as a simpleXOR of the message with the key stream.

Although A5 is a stream cipher, it is used to encrypt 114-bit “blocks”.Each such block is the payload of a GSM burst, which is a GSMair-interface data unit. Note that each frame-is constructed of 8consecutive bursts, serving 8 customers in parallel. Each customer isallocated a burst index. All the bursts in this index are designated forthat customer. The frames are sequentially numbered, and each frame hasa 22-bit publicly known frame number associated with it. This framenumber is used when initializing A5. Since the focus is always on asingle customer, we use the terms “burst” and “frame” interchangeably.

One might wonder why does GSM use a stream cipher and not a block cipherof 114-bit block size. A possible explanation is that GSM performserror-correction and then encryption. Assume that one bit in a block isflipped due to an error. Decrypting that block with a block cipher wouldresult in a block that would appear random, and that theerror-correction codes have no chance to correct. However, when using astream cipher, one flipped bit causes exactly one flipped bit afterdecryption.

GSM Security Background

Following is a more detailed description on the usage and specificationof A3 and A8 algorithms.

A3 provides authentication of the mobile to the network, and A8 is usedfor session-key agreement. The security of these algorithms is based ona user-specific secret key Ki that is common to the mobile and thenetwork. The GSM specifications do not specify the length of Ki, thus itis left for the choice of the operator, but usually it is a 128-bit key.Authentication of the customers to the network is performed using the A3authentication algorithm as follows: The network challenges the customerwith a 128-bit randomly chosen value RAND. The customer computes a32-bit long response SRES=A3(K_(i),RAND), and sends SRES to the network,which can then check its validity.

The session key K_(c) is obtained by the A8 algorithm as follows:K_(c)=A8(K_(i),RAND). Note that A8 and A3 are always invoked togetherand with the same parameters. In most implementations, they are onealgorithm with two outputs, SRES and K_(c). Therefore, they are usuallyreferred to as A3A8.

The above description of prior art encryption in GSM is relayed upon inthe detailed description of the invention below. In this invention theterm cryptanalysis is used to describe the process of being able toencrypt/decrypt communication without the prior knowledge of the usedsession key. In some cases, the cryptanalysis can retrieve the sessionkey that is used. In other cases the session key is not retrieved,however it might still be possible to decrypt or encrypt messages in thesame way that would have been if the relevant cipher were used using thesession key. Sometimes in this invention the term decryption is alsoused in the meaning of cryptanalysis.

Known plaintext means that the attacker has access to encrypted messagesas well as to the messages that were encrypted.

Ciphertext only means that the attacker has access only to the encryptedmessages, and has no access to the messages before they were encrypted.

In this invention the term phone should be understood in the broadersense of a cellular device using the GSM network.

SUMMARY OF THE INVENTION

According to the present invention, there is provided a method andsystem for performing effective cryptanalysis of GSM encryptedcommunications. The method uses ciphertext-only cryptanalysis. Thesystem needs not be connected by wire to the cellular infrastructure,rather it may receive messages transmitted on the air.

New methods for attacking GSM encryption and security protocols aredisclosed. These methods are much easier to apply and much faster.

Basically, for A5/2 GSM, a mobile attacker system receives the encryptedmessages, performs an efficient cryptanalysis and enables listening tothe GSM messages and/or to review related information. When performed ona personal computer, the process may take less than one second.

In principle, a similar method can be applied to A5/1 GSM, however inthis case the encryption is more complex and may require about 5 minutesof communication messages to decrypt. A complex system, which may bedifficult to implement, may be required since it has to keep track offrequency hopping in GSM.

According to another aspect of the present invention, for A5/1 GSM theattacker system creates a small cell around itself, which cell includesthe target GSM phone. The system impersonates the cellular network forthe target phone, and the target phone for the GSM infrastructure. Thisrequires a transmit capability in the attacker system, however thedecryption is greatly simplified and much faster.

Moreover, novel improvements in the GSM networks are presented. Theseinclude improvements in the cryptographic algorithms and protocols. Suchimprovements can be performed, for example, by GSM operators.

Even GSM networks using the new A5/3 succumb to our attack, in the waythat A5/3 is integrated into GSM. The present disclosure includeschanges to the way A5/3 is integrated to protect the networks from suchattacks.

By performing such tests or attacks on the cellular network, a higherlevel of security can be achieved and maintained. Present and futureweak points can be detected and corrective actions may be taken. Thestructure of GSM network itself can thus be improved to increase itssecurity.

The present invention might not be limited to the GSM cellular network:for example, a similar version of A5/3 is also used in third generationcellular networks.

Further objects, advantages and other features of the present inventionwill become apparent to those skilled in the art upon reading thedisclosure set forth hereinafter.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 illustrates a GSM cell with a base station, a subscriber and anattacker system.

FIG. 2 details a block diagram of the attacker system.

FIG. 3 details a block diagram of another embodiment of the attackersystem.

FIG. 4 details the A5/2 internal design (prior art).

FIG. 5 details a method for ciphertext only attack

FIG. 6 details a Known Plaintext Attack on A5/2 Method

DETAILED DESCRIPTION OF THE INVENTION

A preferred embodiment of the present invention will now be described byway of example and with reference to the accompanying drawings.

FIG. 1 illustrates a GSM cell 11 with a base station 12, a subscriber 13and an attacker system 14. There are wireless links 21, 22, 23 betweenthese units.

FIG. 2 details a block diagram of the attacker system. The system may beused to implement the methods detailed in the present disclosure. Theattacker system comprises a first transceiver 31 with antenna 32, whichcommunicates with a target subscriber set, and a second transceiver 33with antenna 34, which communicates with a base station. The system alsoincludes a computer/controller 36, which controls the operation of thesystem, is controlled by the operator and displays the results of thedecryption. The computer 36 also allows the operator to listen to thetarget phone's communications.

FIG. 3 details a block diagram of another embodiment of the attackersystem. It includes a first transceiver 31 which is at a differentlocation than the transceiver 33—the former is located near a targetsubscriber, the latter—near the base station.

The system further includes an interface means 38, allowing the firsttransceiver 31 to be placed at a remote location.

Alternately, the system may use directional antennas directed eachtowards a subscriber or the base station, respectively.

Although the examples here refer mostly to GSM A5/2, A5/1, A5/3, andGPRS, they can be adapted to other networks as well, using the presentinvention.

The examples in the present disclosure detail a ciphertext-onlycryptanalysis of GSM encrypted communication. The attacks work on GSMnetworks that employ, for example, A5/1 or A5/2 and even the newlychosen A5/3.

The attack on A5/2 requires about 40 milliseconds of encryptedoff-the-air cellular conversation and finds the correct key in less thana second on a personal computer. It is shown how to easily leverage ourattack against A5/2 to active attacks against networks that use A5/1 orA5/3. Previous attacks on GSM required unrealistic information, likelong known plaintext periods. Our attacks are the first practicalattacks on GSM networks and require no knowledge about the content ofthe conversation.

These attacks enable attackers to tap any conversation and decrypt iteither in real-time, or at any later time. We also show how to mountactive attacks, such as call hijacking, altering of data messages andcall theft. Even when such active attacks are applied, they cannot beidentified by the network operator using prior art methods and systems.

The A5/3 is also used in third generation cellular networks, thus thepresent invention is not limited to GSM, rather it can be used withother cellular systems as well.

The present disclosure illustrates a method for mounting a ciphertextonly attack on A5/2. In tests we made, our attack found the key in lessthan one second on a personal computer. It is shown that the attack wepropose on A5/2 can be leveraged to mount an active attack even on GSMnetworks that use A5/1 and A5/3, thus realizing a real-time activeattack on GSM networks, without any prior required knowledge.

Method for Ciphertext Only Attack

The new full attack method comprises, see for example FIG. 5:

1. An efficient known plaintext attack on A5/2 that recovers the sessionkey. This first attack is algebraic in nature. It takes advantage of thelow algebraic order of the A5/2 output function. We represent the outputof A5/2 as a quadratic multivariate function in the initial state of theregisters. Then, we construct an overdefined system of quadraticequations that expresses the key-stream generation process and we solvethe equations.

2. Improving the known plaintext attack to a ciphertext only attack onA5/2. We observe that GSM employs Error-Correction codes beforeencryption. We show how to adapt the attack to a ciphertext only attackon A5/2 using this observation.

3. Leveraging of an attack on A5/2 to an active attack on A5/1 and A5/3GSM networks, and also to GPRS. The present inventor has found that, dueto the GSM security modules interface design, the key that is used inA5/2 is the same key as in A5/1 and A5/3. And the same mechanism thatsets the key in the A5 cipher, i.e., A3A8 is used to set the key forGPRS. It is showed how to mount an active attack on any GSM network.

End of method.

Note: See the description of A5/2 and GSM Security Background in theBackground section of the present disclosure.

Known Plaintext Attack on A5/2 Methods

In this section we present a new known plaintext attack (knownkey-stream attack) on A5/2. Given a key-stream, divided to frames, andthe respective frame numbers, the attack recovers the session key.

Compared with prior art attacks, the novel attack method might look asif it requires more information, however, it works within only a fewmilliseconds of data. We then improve our attack to a ciphertext onlyattack that requires only about 40 milliseconds of encrypted, unknowndata. Therefore, our attack is very easy to implement in practice. Wehave simulated our known plaintext attack on a personal computer, andverified the results. This simulation recovers the key in less than asecond.

The computation time and memory complexity of this attack are similar toGoldberg, Wagner and Green's attack.

Thus, the method comprises, see FIG. 6:

1. Knowing the initial internal state of registers R1, R2, R3 and R4,and the initial frame number, the session key can be retrieved usingsimple algebraic operations. This is mainly because the initializingprocess is linear in the session key and the initial frame number.Therefore, in the attack we focus on revealing the initial internalstate of the registers.

2. Let k₀, k₁, k₂, . . . be the output of the A5/2 algorithm divided toframes. Note that each k_(j) is the output key-stream for a whole frame,i.e., each k_(j) is 114 bits long. Let f, f+1, f+2, . . . be the framenumbers associated with these frames, where f is the initial framenumber. We denote as k_(j)[i] the i'th bit of the key-stream at frame j.The initial internal state of register Ri at frame j is noted as Ri_(j).This is the internal state after the initialization but before the 99clockings. Note that this notation is somewhat imprecise, since theoutput is actually 228 bits, when the first part is used to encrypt thenetwork-to-mobile link, and the second 114-bit part themobile-to-network link.

3. Assume that the initial state R4₀ of register R4 at the first frameis known. An important observation is that R4 controls the clockings ofthe other registers, and since R4 is known, the exact number of timesthat each register has been clocked since its initial state is alsoknown. Each register has a linear feedback, therefore, once given thenumber of times a register is clocked, every bit of its internal statecan be expressed as a linear combination of bits of the originalinternal state.

4. The output of the A5/2 algorithm is an XOR of the last bits ofregisters R1, R2, and R3, and three majority functions of bits of R1,R2and R3 (see FIG. 4 for the exact details). Therefore, the resultingfunction is quadratic, when the variables are the bits in the initialstate of these registers. We take advantage of this low algebraic degreeof the output. The goal in the next paragraphs is to express every bitof the whole output of the cipher (constituting of several frames) as aquadratic multivariate function in the initial state. Then, we constructan overdefined system of quadratic equations that expresses thekey-stream generation process and solve it.

5. Given a frame number f, there is an algebraic description of everyoutput bit. We perform linearization to the quadratic terms in thisalgebraic description. We observe that each majority function operateson bits of a single register. Therefore, we have quadratic termsconsisting of variables of the same register only. Taking into accountthat one bit in each register is set to 1: R1 contributes 18 linearvariables plus all their (1718)/2=153 products. In the same way R2contributes 22+(2221)/2=22+231 variables and R3 contributes22+(2221)/2=22+231 variables. So far there are 18+153+21+210+22+231=655variables after linearization. A variable that will take the constantvalue of 1 is also needed. In total we have a set of 656 variables. Wedenote the set of these 656 variables by V₀. Of these variables,18+21+22=61 variables directly describe the full initial state of R1,R2, and R3.

6. Every output bit we have, adds an equation in variables from V₀. Aframe consists of 114 bits. Therefore, we get 114 equations from eachframe. The solution of the equation system reveals the value of thevariables in V₀, and among them the linear variables that directlydescribe the initial internal state of R1, R2, and R3. However, thereare not enough equations at this stage to efficiently solve the system.

The main observation is that given the variables in V₀ defined on framef, the bits of any other frame can be described in linear terms of thevariables in the set V₀. When moving to the next frame, the frame numberis incremented by 1 and the internal state is re-initialized. We assumethat the value of register R4₀ is known. Due to the initializationmethod, where the frame number is XORed bit by bit into the registers(see the description of A5/2), we know the value of R4₁. Since thevalues R1₀, R2₀, and R3₀ are not known, we do not know the value ofregisters R1₁, R2₁, and R3₁, either, but we do know the XOR-differencebetween R1₀, R2₀, R3₀ and R1₁, R2₁, R3₁, respectively.

7. We define the set of variables that describe their state and thelinearization of these variables as V₁, in the same way as we did withthe first frame to create the set V₀. Due to the initialization method,for each register i we know the difference between Ri₁ and Ri₀. Knowingthe difference, we can describe the variables in the set V₁ in linearterm of the variables in the set V₀. That is, including the quadraticterms! To see this, assume that a·b_(i) is a quadratic term in V₁,naturally a₀b₀ is a quadratic term in V₀, and the difference d_(a) andd_(b) is known, such that: a₀=a₀⊕d₀ and b₁=b₀⊕d_(b).

8. Therefore, asa₁·b₁=(a₀⊕d₀)·(b₀⊕d_(b))=a₀·b₀⊕a₀d_(b)⊕b₀d_(a)⊕d_(a)d_(b). Since d_(b)and d_(a) are known, this equation is linear in the variables in V₀.This fact enables to use the output bits in the second frame in order toget additional linear equations in the variables of V₀. The same followsfor any other frame.

It is clear that once 656 linearly independent equations are obtained,the system can be easily solved using Gauss elimination. However, it ispractically very difficult to collect 656 linearly independentequations. This is an effect of the frequent re-initializations, and thelow order of the majority function. It is not actually need to solve allthe variables, i.e. it is enough to solve the linear variables of thesystem, since the other variables are defined as their products. We havetested experimentally and found that after about 450 equations aresequentially obtained, the original linear variables in V₀ can be solvedusing Gauss elimination.

End of method.

This attack can be summarized as follows: all the possible values forR4₀ are tried, and for each such value the linearized system ofequations that describe the output is solved. The solution of theequations gives the internal state of R1, R2, and R3. Together with R4,the full internal state which gives a suggestion for the key is known.

The time complexity of the attack is as follows: There are 2¹⁶ possibleguesses of the value of R4₀. This figure should be multiplied by thetime it takes to solve a linear binary system of 656 variables for aspecific guess, i.e., about 656³≈2²⁸ XOR operations, or about 2⁴⁴ XORsin total.

Result: we have successfully implemented this algorithm, it takes about40 minutes on our Linux 800 MHz Pill personal computer. The memoryrequirement is negligible: holding the linearized system in memoryrequires 656² bits≈54 KB. When implementing the algorithm on a personalcomputer, we took advantage of the fact that a PC machine can performthe XOR of 32 bits with 32 other bits in one operation.

Optimization of the Known Plaintext Attack on A5/2 Method

A possible optimization is filtering wrong values of R4₀, and solvingthe system of equations only for the correct value of R4₀. The filteringis based on the observation that the system of equations for everysuggestion of R4₀ contains linearly dependent lines. This filteringsaves a considerable amount of time, by saving the relatively expensivesolving of the equation systems.

1. There is a different system of equations for every different value ofR4₀. Our filtering stage technique requires a pre-computation stage thatsolves the 2¹⁶ possible systems in advance. Given the matrix S thatdescribes the system, and for any output k, i.e., S·V₀=k, we compute a“solving matrix” T of the system.

2. The matrix T is computed by taking the unit matrix that has the samenumber of rows as the S matrix, and applying to it the same series ofelementary operations that are performed during a Gauss elimination ofS. Multiplication by T on the left of S has the impact of applying Gausselimination to S:

${T \cdot S} = \underset{0}{\left( V_{s} \right)}$

where V_(s) is a matrix whose lines are linearly independent, and therows below the matrix V_(s) are all zero lines. The zero lines are theresult of the equation system containing linearly dependent lines. Whatwe are interested in is taking advantage of the linearly dependent linesof S.

3. We take this advantage by using linearly dependent bits of the outputof A5/2:

${T \cdot k} = {{{T \cdot S \cdot V}\; 0} = {\underset{0}{({Vs})} \cdot V_{0}}}$

4. We like to verify the guess for the value of R4₀, i.e., filter wrongguesses of R4₀. The lines of T which once multiplied by the output kresult in the value zero can be used. On a correct guess, all theselines result in a zero after the above multiplication. On a wrong guess,each line has a probability of about half to be zero once multiplied byk. Therefore, on average about two lines (dot products) have to becomputed for each wrong guess of R4₀. During the pre-computation we keepfor each possible value of R4₀ only about 16 of the lines of T that getthe value 0 once multiplied by k. When performing the attack wrong R4₀guesses are filtered by multiplying the saved lines by k.

5. When the result of all the multiplications for a guessed R4₀ arezero, we have a candidate equation system, which is actually a candidatefor a value for R4₀. Given the suggestion for R4₀, we solve thesuggested equation system and compute the initial internal state of R1,R2, and R3. Together with the guess of R4₀, K_(c) can be easilydetermined. The filtering stage is designed so that the correct guessfor R4₀ survives it. Note that the number of values of R4₀ that survivesthe filtering stage is about one, i.e., the correct value for R4₀.

End of method.

Result: The memory complexity is about the 2^(27.8) bytes (less than 250MBs) needed to store the above row-vectors.

The above result applies when known plaintext from the wireless linkoriginating from the network towards the mobile phone is used. Whenusing the known plaintext from the link originating from the mobilephone towards the network, a few more equations are needed to reach astate that there are linearly depended lines. That is because on thelink from the phone toward the network, the second block of 114 bits outof the 228 bits of the output of A5/2 are used. These bits are lessaffected by the frequent re-initializations, and therefore a little bitless linearly depended.

Note that when using this optimization some compromise is needed.

Since four known plaintext frames are required, the XOR between theframe number f and each one of f+1, f+2 and f+3 must be known inadvance, before exact value f is known. This XOR-difference is requiredin order to express the frames' key stream bits as linear terms over theset V₀, and to compute the system of equations. In other words, thesystem of equations depends not only on R4₀ but also on theXOR-difference.

The problem here is the addition operation, for example, f+1 can resultin a carry that would propagate through f, thus not allowing thecalculation of the XOR-difference in advance. To make the calculationeasy, we require that f will have a specific bit set to 0. Thisrequirement prevents a carry from propagating beyond the specific bit.We take into account that we need to calculate the XOR-difference for upto an addition of the number 3 to the frame number f, therefore, we needthe value of the third least significant bit of f to be zero, and alsoneed to require that the two last bits in f have a constant value sinceany combination of these bits results in a different XOR-differenceafter addition.

These requirements are sufficient to allow calculating the abovedifferences in advance. To allow any constant value of the two lowerbits of f, the pre-computation is performed for each such possiblevalue. There are four possible values. This fact multiplies the memorycomplexity by a factor of four, and the pre-computation time complexityby a factor of four as well. The above memory complexity alreadyincludes this factor. We can remove the requirement for the third bit tobe 0, in the case that the two lower bits are zeros, due to the factthat in this case an addition of up to three can not cause a carryoutside the first two bits.

Thus, out of the eight possible values to the three lower bits of f, weallow five. We stress that this limitation on the possible values of fhas no serious practical implications since it is needed to wait at most3 frames for a frame number that qualify for the requirements. Theinstant Ciphertext-only attack that we describe relies on this attackand needs to work in 4 frame blocks. Note that in this case, if thefirst of frame number, out of four consecutive frame does not meet therequirements. If that happens, it is assured that the first frame numberin following block of 4 frames meets the requirements.

We analyze the time complexity of this optimized attack as follows:given a value of the frame number f, for each wrong guess of R4₀ we needto try two dot products on average. Once we have the correct R4₀ value,the time needed to solve the equation system for the correct value isabout 2²⁸, which is negligible. Therefore, the average time complexityof this optimized attack is approximately 2¹⁶ dot products.

We analyze the time complexity of the pre-computation as follows: in thepre-computation stage we compute the system of equations S and its Tmatrix for every R4₀ value, out of the 2¹⁶ possible values, and forevery allowed XOR-difference of f. For each such system, we only keepabout 16 of the lines of T that get the value 0 once multiplied by k. Tocompute T we perform Gauss elimination over S. The time complexity forthe Gauss elimination is about 2²⁸ XORs. When multiplying the abovefigures we get 2⁴⁴. Since we repeat the process for every one of thefour required XOR-difference of f we multiply this figure by four.Therefore, the pre-processing time complexity is 2⁴⁶ XORs.

We have implemented this optimized attack on our personal computer, andit takes less than a second to recover K_(c). The one-timepre-computation takes about 160 minutes.

An Instant Ciphertext Only Attack on A5/2 Method

In this section we show an attack on A5/2. An important factor thatfacilitates us to convert the attack of “Known Plaintext Attack on A5/2”to a ciphertext only attack against A5/2 is that in GSM error correctioncodes are employed before the encryption. Thus, the plaintext of theencryption has a highly structured redundancy.

There are several types of error correction methods that are used inGSM, and different error correction schemes are used for different datachannels. For simplicity, we focus on control channels, and specificallyon the error-correction codes of the Slow Associated Control Channel(SACCH). Note that this error-correction code is the only code that isused in the initiation of a conversation. Therefore, it suffices tofocus on this code. Using this error-correction code we mount aciphertext-only attack that recovers the key. However, the new attackmethod can be applied to other error-correction codes as well.

In the SACCH, the message to be coded with error-correction codes has afixed size of 184 bits. The result is 456-bit long. This 456-bit messageis interleaved to 4 bursts. The coding operation and interleavingoperation can be modeled together as one 456×184 matrix over GF(2),which we denote by G. The message to be coded is regarded as a 184-bitbinary vector, P. The result of the coding-interleaving operation is:M=GP. The resulting vector M is divided to 4 bursts. In the encryptionprocess each burst is XORed with the output of A5/2 for the respectiveburst.

Since the G matrix is a 456×184 binary matrix, there are 456−184=272equations that describe the kernel of the inverse transformation. Inother words, given the vector M=GP, there are 272 linearly independentequations on its elements. Let K_(G) be a matrix that describes theselinear equations, i.e., K_(g)M=0 for any such M.

We denote the output sequence bits of A5/2 for a duration of 4 frames byk=k_(j)∥k_(j)+1∥k_(j)+2∥k_(j)+3, where ∥ is the concatenation operator.The ciphertext C is computed by C=M⊕K. We use the same 272 equations onC, namely:

K _(G)(M⊕k)=K _(G) M⊕K _(G) k=0⊕K _(G) k=K _(G) k.

Since the ciphertext C is known, we actually get linear equations overelements of k.

Note that the equations we get are independent of P—they only depend onk. We substitute each bit in k with its description as linear terms overV₀ (see our description of the instant known-plaintext attack), and thusget equations on variables of V₀. Each 456-bit coding block, provides272 equations. The rest of the details of the attack and its timecomplexity are similar to the optimized case in the previous section,when we substitute k with K_(G)k.

While in the known-plaintext attack four frames of data are enough tolaunch the attack, in the ciphertext-only attack we need eight frames,since from each encrypted frame, we get only about half of theinformation compared to the known plaintext attack. When analyzing thetime and memory complexity of this ciphertext only attack, we take intoconsideration that we restrict the lower four bits of the frame numberf. We allow only 9 out of the 16 possible values for these four bits.This restriction doubles the memory complexity compared to the optimizedknown-plaintext attack, and it also doubles the pre-computationcomplexity.

End of method.

We summarize the complexity of the ciphertext only attack as follows:the average time complexity of this ciphertext only attack isapproximately 2¹⁶ dot products. The memory complexity is about 2^(28.8)bytes (less than 500 MBs), the pre-computation time complexity is about2⁴⁷ XORs. Our implementation on a personal computer recovers K_(c) inless than a second, and it takes about 320 minutes for the one-timepre-computation to complete.

We have also successfully enhanced the attack of Goldberg, Wagner, andGreen and the attack of Petrovic and Fuster-Sabater to a ciphertext-onlyattack using our methods. When given the current disclosure, theabovementioned enhancement should be obvious to those skilled in theart.

Direct Attack Against A5/1 Method

Following is an example of such a direct attack:

Given a block of several frames that are encrypted, we use the methodsof pervious sections, to compute K_(G)k. These bits that we get are onlydependent in the output of A5/1 on the several frames. We call thisoutput bits the coded-stream. Let's assume that the frame number of thefirst frame of these frames is known to be divided by four withoutremainder. The whole process can be viewed as a function from theinternal state of A5/1, to the coded stream. Let f( ) be that function,when only 64 bits of output are condifered, therefore, f( ) maps 64 bitsto 64 bits.

So f( ) is a function that takes an internal state of A5/1 afterinitialization, and outputs the coded stream. Inverting f( ) will revealthe internal state, and break the cipher. Note that we must make anassumption regarding the frame number, otherwise, f( ) depends on theframe number. We can apply one of the time-memory-data tradeoff known inthe art, for example the ones that are described by Biryukov and Shamirin their paper “Cryptanalytic Time/Memory/Data Tradeoffs for StreamCiphers”, Advances in Cryptology, proceedings of Asiacrypt'00, LectureNotes in Computer Science 1976, Springer-Verlag, pp. 1-13, 2000.

We use their notations for the tradeoff, i.e., N is the internal statesspace, T is the number of evaluations of f( ) D is the number ofavailable data points, M is the number of memory lines. In this caseN=2⁶⁴, and each memory line is 16 bytes long. For example, on thetradeoff curve N²=D²M²T, T>D², and N=2⁶⁴, one point is D=2⁸ which isabout 8 seconds of off-the-air data, M=2³⁹, which is about 8.8 Tera-Byte(Can be stored on 44 hard-disks of 200 GBs). If we take a similar codingto the pervious sections, that means that we have to multiply the databy 4 to compensate for the different frame numbers. So 176 hard-disks of200 GBs are needed.

The time it takes for an actual attack is therefore, T=2³⁴ valuations off( ) Assuming that fo can be computed 2²⁰ times in a second on a singlepersonal computer, the computation requires 2¹⁴ seconds. On a networkwith 1000 computers it takes about 16 seconds. It will result in about2¹⁷ random disk accesses, each disk can be randomly accessed about 200times a second, therefore, the access time is about 655 seconds, butthere are 176 hard-disks, therefore, the total access time is 3.76seconds, which are done in back-ground when the other computations areperformed.

Precomputation takes N/D, which is 256 evaluations of f( ) that takes2³⁶ seconds on a personal computer. We need to compute it four times. Intotal, on a 10,000 computers network, this task should be completed inabout 10 months. In a distributed work, that network requires abandwidth of about 1.35 Mbyte/Second. This is feasible computation overthe internet for example.

Note that increasing the available data decreases the other requirementsdramatically. If we had 5 minutes of such data, which is 37.5 times datathan 8 seconds, then D=2¹³, only about 44 Hard-Disks of 200 MBs need tobe used in total, that is about M=2³⁷, and the time would be T=2²⁸,which takes about 5 minutes to compute on a single PC. This means thatthe attack carries out in real-time, but only one of few thousand offrames is a frame that lets the attack succeed. When a frame isencountered, the attack finds out almost instantaneously if this frameis indeed “the right one” or not.

The attack requires 2¹⁴ random disk accesses, which take about 81seconds, but are done on 44 hard-disks in parallel, which takes in totalabout 1.86 seconds, which are spent in the background of thecomputation. The precomputation is reduced to N/D=2⁵¹ evaluations of f() which takes about 2³¹ seconds, or about 3 months on a network of 1000personal computers.

If 1 Hour of such data is allowed, only about 270 GB of memory isneeded, which can be stored on one or two hard-disks, The actual attacktime takes about one hour on one personal computer, which means it'sactually real-time, the hard-disk access time is about 5 minutes whichis negligible. The precomputation can be completed on a network of 40PCs in about 10 months.

Even if A5/2 is not used anymore in GSM networks, but A5/1 remains, thisdirect attack on A5/1 can be used to leverage an attack on GPRS, usingthe fact that their key is created with the same mechanism (i.e., A3A8),and therefore, when given the same input (i.e. RAND and K_(i)) theoutput which is the resulting key, is the same. This is an example,which can occur in other ciphers, as long as two ciphers share the samekey agreement, and an active attack can be mounted more easily on one ofthese ciphers.

Briceno discovered that many GSM networks use only 54 bits out of the 64bits of key, setting 10 key bits to 0. Prior art did not take advantageof this fact when employing cryptanalysis. We observe, that when bitsare set to a constant value, the direct A5/1 attack can be dramaticallyimproved. As N decreased from 2⁶⁴ to 2⁵⁴. Only 54 bits of output need tobe considered out of f( ) Therefore, each memory line is now only 54times 2 bits long=13.5 bytes, let's assume 14 bytes.

On the tradeoff curve, N²=D²M²T, T>D², and N=2⁵⁴, consider the examplewe showed above, where D=2⁸ which is about 8 seconds of off-the-airdata, but now M=2³³, which is about 500 GB, can be stored on threehard-disks of 200 GB. T=2²⁶, this takes only about one minute ofcomputation on a SINGLE PC! This computation can be done in paralleledon a few computers reaching a real-time direct attack on A5/1. Theone-time pre-computation takes N/D=2⁴⁶, which is about 3100computer-days in total, which can be computed on a network of 10 PCs inabout 10 months.

Leveraging the Attack to Networks that Require A5/1 or A5/3 but Settlefor Less

Some networks may prefer the mobile phone to work with A5/1, but if notpossible work with A5/2. When a mobile phone accesses the network, ittells the network what is its capabilities, including which encryptionalgorithm it can use. A simple classmark attack would be to change theinformation that the network gets, so it thinks that the phone can workin either A5/2 or A5/0. If the network settles for encryption with A5/2,then the encryption keys can be found using the above detailed method. Asimilar classmark attack could be mounted when the network prefers A5/3but settles for less (either A5/1 or A5/2).

Leveraging the Attacks to any GSM Network Method

The attack shown in “An Instant Ciphertext Only Attack on A5/2 Method”assumes that the encryption algorithm is A5/2. Using that attack it iseasy to recover K_(c) in real-time from a few tens of milliseconds ofciphertext.

We ask the question, what happens when the encryption algorithm is notA5/2, but rather is A5/1 or the newly chosen A5/3 or even GPRS. Thesurprising answer is that almost the same attack applies. All that isneeded for the new attack to succeed is that the mobile handset supportsA5/2, but this is actually a mandatory GSM requirement to enable roamingto networks that use A5/2.

The following attack retrieves the encryption key that the network useswhen A5/1 or A5/3 is employed. The key is discovered by a man in themiddle attack on the victim customer. In this attack, the attacker playstwo roles. He impersonates the network, as far as the customer sees, andimpersonates the customer, as far as the network sees. Note that thiskind of an attack is relatively very easy to mount in a cellularenvironment.

During the initialization of a conversation, the network can send theauthentication request to the attacker, the attacker sends it to thevictim. The victim computes SRES and return it to the attacker, whichsends it back to the network. Now the attacker is “authenticated” to thenetwork. Next, the network asks the customer to start encrypting withA5/1.

In our attack, since the attacker impersonates the customer, the networkwill actually ask the attacker to start encrypting with A5/1. Theattacker does not have the key, yet, and therefore, is not able to startthe encryption. The attacker needs the key before he is asked to use it.To achieve it, the attacker asks the victim to encrypt with A5/2 justafter the victim returned the SRES, and before the attacker returns theauthentication information to the network.

This request looks to the victim as a legitimate request, since thevictim sees the attacker as the network. Then, the attacker employscryptanalysis to retrieve the encryption key of the A5/2 that is used bythe victim. Only then, the attacker sends the authentication informationto the network. The key only depends on RAND, that means that the keyrecovered through the A5/2 attack is the same key to be used when A5/1is used or even when 64-bit A5/3 is used! Now the attacker canencrypt/decrypt with A5/1 or A5/3 using this key.

One may suspect that the network may identify this attack, byidentifying a small delay in the time it takes to the authenticationprocedure to complete. However, GSM standard allows 12 seconds for themobile to complete his authentication calculations and return an answer.The delay incurred by this attack is less than a second. Also, GSMsignaling messages can normally take some time to travel between thenetwork and mobile, due to layer 2 protocol delay. In total, there is adelay but it is negligible.

Many networks initiate the authentication procedure rarely, and use thekey created in the last authentication that is saved in customer's SIM.This key is numbered by the network with a number in the range of zeroto six. An attacker can discover these stored keys by impersonating thenetwork to the victim mobile. Then the attacker initiates aradio-session with the victim, and asks the victim mobile to startencrypting using algorithm A5/2 and the relevant key number. Theattacker then employs the attack and recovers the key and then ends theradio session. The owner of the mobile and the network will have noindication of the attack.

One may wonder if the network operator can discover the attack becausethe attack transmits, and interface can be caused. While this isgenerally true, both of these attacks require less transmission thanmight be expected at first view. In the first one, it might seem thatthe attacker needs to transmit during the whole conversation time.However, after the first second of communication the attacker alreadyhas the encryption key and does not really need to continue the activeman in the middle attack.

An attacker might want to stop the active attack, let the network andthe victim continue communicating, and tap the encrypted conversationusing the key he had discovered. The first step in doing that, ischanging the cipher that the victim uses to suit the network'srequirements. The attacker should ask the victim to change cipher to nocipher, and then to change to the cipher that is used by the network,i.e., A5/1. An attacker might cause the network to order a handover ofthe conversation to another frequency. At the same time, the attackerrequests the mobile victim to perform a handover to the same frequency.

Note that GSM does not really transmit on a single frequency. Rather,GSM employs a frequency hopping scheme. For simplicity we relate to acertain hopping sequence as a single frequency. This has no implicationson the attacks we present. In most GSM conversations, a handover isinitiated by the network shortly after the beginning of theconversation. Since it happens anyway it saves the attacker the need to“cause” the network to order a handover. In such a way, the attacker canstop its transmission, while still being able to eavesdrop to theconversation. In the second scenario, the attacker attacks in the timehe chooses, and the whole attack can be completed in a few seconds atmost. When these keys are in later use, the attacker does not need toperform any transmission.

In the scenarios that are described below, an attack is shown in whichthe attacker can tap any conversation, while transmitting only for ashort duration at a later time of his choosing, possibly after the callhas been completed.

The leveraging of the attack relies on the fact that the same key isloaded to A5/2 and A5/1 and even to 64-bit A5/3 (in the scenario whereA5/3 is used in GSM, according to GSM standards). Thus, discovering thekey for A5/2 reveals the key for A5/1 and 64-bit A5/3.

This attack also applies to GPRS, due to similar reasons. When thenetwork challenges the mobile for a new GPRS key, using a random 128-bitvalue RAND, the attacker can use “man-in-the-middle” and initiate radiosession with the victim, initiate authentication request using the sameRAND value, and then ask him to encrypt with A5/2. Then find the keyusing the ciphertext-only attack that we present. The key that isrecovered will be the same as the GPRS key, that is due to the fact thatthey are both created using the same A3A8 algorithm, and the same K_(j),therefore, when given the same RAND the same session key is produced.

The attacker can refrain from a “man-in-the-middle” attack, and recordthe GPRS communication and then later decrypt it using a similar attack,in which he asks the victim for authentication with the same RAND thatwas used in the session, and then asking the victim to encrypt with A5/2and recover the key. Even if GPRS changes the key several times using anew RAND, each time the attacker recorded the communications and theRAND he can repeat this process later in the attack against the victim,find the key and decrypt the communications. These attacks can be usedfor impersonation, in a similar way. Note that, although A5/3 can beused with key lengths of 64-128 bits, the GSM standard allows the use ofonly 64-bit A5/3.

Unfortunate Consequence Scenarios for GSM

The presented attacks can be used to emulate real life attacks inseveral scenarios. In this section four examples are presented. Theseattacks work for various encryption algorithm that may be used, forexample: A5/1, A5/2 or A5/3, and even GPRS.

Call Wire-Tapping Attack

A simple scenario that one might anticipate is eavesdroppingconversations. Communications that are encrypted using GSM can bedecrypted and eavesdropped by an attacker, once the attacker has theencryption key. Both voice conversations and data, for example SMSmessages, can be wire-tapped.

Another possible wire-tapping attack, is that the attacker records theencrypted conversation. The attacker must make sure that it knows theRAND value that created the key that is in use. At a later time, whenit's convenient for the attacker, the attacker impersonates the networkto the victim. Then the attacker initiates a radio-session, ask thevictim to perform authentication with the above RAAD, and recover thesession key that was used in the recorded conversation. Once theattacker has the key he simply decrypts the conversation and can listento its contents.

Note that an attacker can record many conversations and, with subsequentlater attacks, recover all the keys. This attack has the advantage oftransmitting only in the time that is convenient for the attacker.Possibly even years after the recording of the conversation, or when thevictim is in another country, or in a convenient place for the attacker.

Another attack is finding the key before the conversation by finding thestored key as we described. Finding the key before the conversation iseffective, if the network does not ask the subscriber to performauthentication with a different RAND in the beginning of theconversation.

Call Hijacking Attack

While a GSM network can perform authentication at the initiation of thecall, encryption is the means of GSM for preventing impersonation atlater stages of the conversation. The underlying assumption is that animposter would not have K_(c), and thus would not be able to conductencrypted communications. It is shown how to obtain encryption keys.Once an attacker has the encryption keys, he can cut the victim off theconversation, and impersonate the victim to the other party. Therefore,hijacking the conversation after authentication is possible.

Some people may claim that it would be difficult to apply this attack inpractice, due to the difficulty in transmitting the required data on theair. It is stressed that impersonation is an attack that is relativelyeasy to mount in a cellular environment. The GSM transmission is carriedover radio frequency, which makes these types of attack very easy toperform and difficult to detect. For example, an attacker might makesure that his signal is received at the cell's antenna with a muchhigher power than the victim's signal. The attacker can also causedisturbance by making sure that a noise signal is received in high powerin the antenna of the victim.

The hijacking can occur during the early call-setup, even before thevictim's phone begins to ring. The operator can hardly suspect there isan attack. The only clue of an attack is a moment of some increasedelectromagnetic interface.

Another way to hijack incoming calls, is to mount a kind of a “man inthe middle” attack, but instead of forwarding the call to the victim,the attacker receives the call.

Altering of Data Messages (SMS) Attack

Once a call has been hijacked, the attacker decides on the content. Theattacker can listen to the contents of a message being sent by thevictim, and send his own version. The attacker can stop the message, orsend his own SMS message. This compromises the integrity of GSM traffic.

Call Theft Attack

GSM was believed to be secure against call theft, due to authenticationprocedures of A3A8.

However, due to the mentioned weaknesses, an attacker can make outgoingcalls at a victim's expense. When the network asks for authentication,then a man in the middle attack, similar to the one that we described inleveraging the attack to any GSM Network would succeed. The attackerinitiates in parallel an outgoing call to the cellular network, and aradio session to a victim. When the network asks the attacker forauthentication, the attacker asks the victim for authentication, andrelays the resulting authentication back to the network.

The attacker can also recover K_(c) as described in the presentdisclosure. Now the attacker can close the radio session with thevictim, and continue the outgoing call as regular. This attack is hardlydetectable by the network, as it views it as normal access. The victim'sphone will not ring, and the victim will have no indication that he/sheis a victim. At least until his/her monthly bill arrives.

Various other embodiments of attack methods will occur to personsskilled in the art upon reading the present disclosure. The abovedetailed methods can be further expanded, for example:

1. A cryptanalysis method comprising

A. Requesting a phone to encrypt with A5/2;

B. Using the results to decrypt communications which is encrypted withA5/2, A5/1 A5/3 or GPRS. Thus, an attacker affects the decisionregarding the encryption method to be used, in this case in a way thatfacilitates its subsequent decryption.

2. A cryptanalysis classmark attack method comprising:

A. the attacker causes the network to decide that the phone is not ableto encrypt with A5/1 but just with A5/2;

B. this enabling the attacker to use the attack and decryptcommunications

3. A cryptanalysis method comprising:

A. Performing a ciphertext-only direct cryptanalysis of A5/1;

B. Using results of Step (A) to facilitate the decryption and/orencryption of further communications that are consistent with encryptionusing the session key and/or decryption using the session key.

In the above method, the cryptanalysis may consider part of the bits ofthe session key to have a known fixed value.

The cryptanalysis may also find the session key.

4. A cryptanalysis method comprising:

A. performing a ciphertext-only direct cryptanalysis of A5/2;

B. Using results of Step (A) to facilitate the decryption and/orencryption of further communications that are consistent with encryptionusing the session key and/or decryption using the session key.

In the above cryptanalysis method, the cryptanalysis may consider partof the bits of the session key to have a known fixed value.

Furthermore, the cryptanalysis method may also find the session key.

5. A method for protecting GSM communications comprising performingrepeatedly GSM authentication during an on-going session.

In the above method to protect GSM communications, the ciphering key mayalso be changed as a result of applying the GSM authenticationprocedure.

Furthermore, an attacker may emit radio frequency transmissions.

The above GSM active cryptanalysis methods may also include:

A. the attacker's transmission causes the network to decide that thephone's classmark is such that the phone is not able to encrypt withA5/1 but just with A5/2;

B. this causes the network to request encryption only with A5/2,enabling the attacker to use the attack and decrypt communications.

The above GSM active cryptanalysis methods may also include:

A. the attacker's transmission causes the network to decide that thephone's classmark is such that the phone is not able to encrypt withA5/3 but just with A5/2 or A5/1;

B. this causes the network to request encryption only with A5/1,enabling the attacker to use the attack and decrypt communications.

The above GSM active cryptanalysis methods may also include:

A. The attacker's transmission causes the phone to decide that thetransmission originated from the network, and requests the phone toencrypt with A5/2;

B. The phone replies with data that is encrypted with A5/2;

C. Using the session key that results from the cryptanalysis to decryptand/or encrypt communications on the wireless link between the attackerand the phone, and/or decrypt and/or encrypt communications on thewireless link between the attacker and the network, which is encryptedwith A5/2, A5/1, A5/3 or GPRS, and/or decrypt and/or encryptcommunications on the wireless link between the phone and the network,which is encrypted with A5/2, A5/1, AS/3 or GPRS.

The above GSM active cryptanalysis methods may also include:

A. The attacker's transmission causes the phone to decide that thetransmission originated from the network, and requests the phone toencrypt with A5/1;

B. The phone replies with data that is encrypted with A5/1;

C. Using the session key that results from the cryptanalysis to decryptand/or encrypt communications on the wireless link between the attackerand the phone, and/or decrypt and/or encrypt communications on thewireless link between the attacker and the network, which is encryptedwith A5/2, A5/1, A5/3 or GPRS, and/or decrypt and/or encryptcommunications on the wireless link between the phone and the network,which is encrypted with A5/2, AS/1, A5/3 or GPRS.

In the above cryptanalysis method, the Ciphertext-Only cryptanalysis maycomprise:

A. Performing an efficient known plaintext attack on A5/1 that recoversthe session key;

B. Improving the known plaintext attack to a ciphertext only attack onA5/1. Improvements in GSM Network Method and System

Various improvements in cellular systems will occur to persons skilledin the art upon reading the possible novel attack methods detailed inthe present disclosure.

Examples relating to GSM include:

1. GSM operators should replace the cryptographic algorithms andprotocols now in use as early as possible, to protect the privacy oftheir customers.

2. Even GSM networks using the new A5/3 succumb to the attack presentedhere, in the way that A5/3 is at present integrated into GSM.Accordingly, it is suggested to make changes in the way A5/3 isintegrated to protect the networks from such attacks. A possiblecorrection is to make the keys used in AS/1 and A5/2 unrelated to thekeys that are used in A5/3. This change should also be made in GPRS. Ingeneral, it is preferable to create unrelated keys for differentencryptions, so that a weakness in one of them would be able to inflicton the others.

3. Even if GSM implements larger key sizes for A5/3, the trivial way forGSM to implement it, is to use the same first bits of the key to AS/1and A5/2, and have some additional key bits added. Such implementationwill cause our attack to easily discover 64 key bits of the key that isused in A5/3, thus reducing security considerably.

4. The present ciphertext-only attack is facilitated by the fact thatthe error-correction codes are now employed before the encryption. Inthe case of GSM, the addition of such a structured redundancy before theencryption is performed, fatally reduces the system's security. A methodand structure to correct this flaw is proposed.

5. Modifying the GSM standard, to allow the use of more than 64-bitA5/3, would deliver a higher security, and limit the effectiveness ofthe attack.

6. Performing authentication more often, even during an on-goingsession, may prove to be a good protection. It would prove that the“real” subscriber is still the one on the other side of the channel.Also authentication in GSM changes the key, which would force aneavesdropper to perform the attack from the start. Even if the key isnot changed during the conversation, it will still ensure that there isno impersonation.

7. Stop the use of A5/2, especially in phones. Stopping the use of A5/2,would leave the direct attack on A5/1, which is more expensive anddifficult to perform. The attack against A5/1 could still be leveragedagainst GPRS (like the A5/2 attack), but the cost would be much higherto perform. The down side of this change, that it would force upgradingthe infrastructure in networks that employ A5/2. An other option is tocreate series of phones that do not support A5/2. They will be have noencryption when roaming to A5/2 networks (but as we show A5/2 is notsecure anyhow), but will increased security in A5/1 or A5/3 networks,since the A5/2 attack would not work.

Therefore, the direct A5/1 would have to be employed, and this attack isfar more expensive and difficult to perform.

8. Use more of the available bits for encryption, i.e., use the full 64bits of key available. In future, as more bits may be available—morebits may be used.

It will be recognized that the foregoing is but one example of anapparatus and method within the scope of the present invention and thatvarious modifications will occur to those skilled in the art uponreading the disclosure set forth hereinbefore.

1. A method for attacking encrypted GSM communications, said methodcomprising: using a first wireless transceiver to impersonate a GSMcellular network before a wireless client device; using the firstwireless transceiver to receive, from the wireless client device, anencrypted first GSM communication, which first GSM communication isintended for the GSM cellular network; using first processing circuitryto recover an encryption key used by the wireless client device toencrypt the first GSM communication; using a second wireless transceiverto impersonate the wireless client device before the GSM cellularnetwork, using the recovered encryption key;
 2. The method according toclaim 1, further comprising: receiving encrypted second GSMcommunications, intended for the GSM cellular network, from the wirelessclient device; using second processing circuitry to decrypt the secondGSM communications, using the recovered encryption key; using thirdprocessing circuitry to generate, using the recovered encryption key,encrypted third GSM communications; using the second wirelesstransceiver to transmit the third GSM communications to the GSM cellularnetwork; receiving encrypted fourth GSM communications, intended for thewireless client device, from the GSM cellular network; using fourthprocessing circuitry to decrypt the fourth GSM communications, using therecovered encryption key; using fifth processing circuitry to generate,using the recovered encryption key, encrypted fifth GSM communications;using the first wireless transceiver to transmit the fifth GSMcommunications to the wireless client device.
 3. The method according toclaim 2, wherein the third GSM communications are at least partiallybased on data from the second GSM communications and the fifth GSMcommunications are at least partially based on data from the fourth GSMcommunications.
 4. The method according to claim 1, further comprisingusing the wireless transceiver to transmit to the wireless clientdevice, under a guise of the cellular network, a protocol message whichelicits the wireless client device to transmit the encrypted first GSMcommunication, prior to said using the wireless transceiver to receive,from the wireless client device, the encrypted first GSM communication.5. The method according to claim 4, wherein: a. the wireless clientdevice is adapted to encrypt and decrypt digital communications inaccordance with multiple different encryption algorithms using identicalor related encryption keys; and b. the protocol message is designed tocause the first device to encrypt the first GSM communication accordingto a specific encryption algorithm.
 6. The method according to claim 1,wherein using processing circuitry to recover an encryption keycomprises deriving equations over bits of key-stream used to encrypt atleast a portion of the encrypted digital communication, wherein saidderiving includes XORing together bits of the encrypted digitalcommunication based on an error correction coding scheme or includesXORing bits of the encrypted digital communication bit-stream with bitsof a bit-stream consistent with an output of an error-correction codingscheme.
 7. A system for attacking encrypted GSM communications, saidsystem comprising: a first wireless transceiver adapted to (i)impersonate a GSM cellular network before a wireless client device; and(ii) receive, from the wireless client device, an encrypted first GSMcommunication, which first GSM communication is intended for the GSMcellular network; first processing circuitry adapted to recover anencryption key used by the wireless client device to encrypt the firstGSM communication; a second wireless transceiver and second processingcircuitry, functionally associated with each other and adapted tojointly impersonate the wireless client device before the GSM cellularnetwork, using the recovered encryption key.
 8. The system according toclaim 7, wherein: said first transceiver is further adapted to receiveencrypted second GSM communications, intended for the GSM cellularnetwork, from the wireless client device; said system further comprises:third processing circuitry adapted to decrypt the second GSMcommunications, using the recovered encryption key; and fourthprocessing circuitry adapted to generate, using the recovered encryptionkey, encrypted third GSM communications; and said second wirelesstransceiver is further adapted to transmit the third GSM communicationsto the GSM cellular network.
 9. The system according to claim 8,wherein: said second transceiver is further adapted to receive encryptedfourth GSM communications, intended for the wireless client device, fromthe GSM cellular network; said system further comprises: fifthprocessing circuitry adapted to decrypt the fourth GSM communications,using the recovered encryption key; and sixth processing circuitryadapted to generate, using the recovered encryption key, encrypted fifthGSM communications; and said first wireless transceiver is furtheradapted to transmit the fifth GSM communications to the wireless clientdevice.
 10. The system according to claim 9, wherein the third GSMcommunications are at least partially based on data from the second GSMcommunications and the fifth GSM communications are at least partiallybased on data from the fourth GSM communications.
 11. The systemaccording to claim 7, wherein said first wireless transceiver is furtheradapted to transmit to the wireless client device, under a guise of thecellular network, a protocol message which elicits the wireless clientdevice to transmit the encrypted first GSM communication, prior toreceiving, from the wireless client device, the encrypted first GSMcommunication.
 12. The system according to claim 11, wherein: a. thewireless client device is adapted to encrypt and decrypt digitalcommunications in accordance with multiple different encryptionalgorithms using identical or related encryption keys; and b. theprotocol message is designed to cause the first device to encrypt thefirst GSM communication according to a specific encryption algorithm.13. A system according to claim 7, wherein said first processingcircuitry is adapted to recover an encryption key used by the wirelessclient device to encrypt the first GSM communication by performing acryptanalysis which includes deriving equations over bits of key-streamused to encrypt at least a portion of the encrypted digitalcommunication, wherein said deriving includes XORing together bits ofthe encrypted digital communication based on an error correction codingscheme or includes XORing bits of the encrypted digital communicationbit-stream with bits of a bit-stream consistent with an output of anerror-correction coding scheme.
 14. A device for attacking encrypted GSMcommunications, said device comprising: a first wireless transceiveradapted to (i) impersonate a GSM cellular network before a wirelessclient device; and (ii) receive, from the wireless client device, anencrypted first GSM communication, which first GSM communication isintended for the GSM cellular network; interfacing circuitry adapted to:(1) interface with analyzing circuitry adapted to recover an encryptionkey used by the wireless client device to encrypt the first GSMcommunication; (2) send the encrypted first GSM communication to theanalyzing circuitry; and (3) receive the encryption key used by thewireless client device to encrypt the first GSM communication from theanalyzing circuitry; a second wireless transceiver and first processingcircuitry, functionally associated with each other and adapted tojointly impersonate the wireless client device before the GSM cellularnetwork, using the recovered encryption key.
 15. The device according toclaim 14, wherein: said first transceiver is further adapted to: (1)receive encrypted second GSM communications, intended for the GSMcellular network, from the wireless client device; and (2) transmitfifth GSM communications to the wireless client device; said systemfurther comprises: third processing circuitry adapted to decrypt thesecond GSM communications, using the recovered encryption key; fourthprocessing circuitry adapted to generate, using the recovered encryptionkey, encrypted third GSM communications; fifth processing circuitryadapted to decrypt encrypted fourth GSM communications, using therecovered encryption key; and sixth processing circuitry adapted togenerate, using the recovered encryption key, the encrypted fifth GSMcommunications, at least partially based on data extracted from thefourth GSM communications; and said second wireless transceiver isfurther adapted to: (1) transmit the third GSM communications to the GSMcellular network, and (2) receive the encrypted fourth GSMcommunications, intended for the wireless client device, from the GSMcellular network.
 16. The device according to claim 14, wherein saidfirst wireless transceiver is further adapted to transmit to thewireless client device, under a guise of the cellular network, aprotocol message which elicits the wireless client device to transmitthe encrypted first GSM communication, prior to receiving, from thewireless client device, the encrypted first GSM communication.